b"                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report\nSubject:\n\n\n\n  AUDIT OF THE INFORMATION TECHNOLOGY\n          SECURITY CONTROLS OF THE\n  U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\n       DEVELOPMENT TEST PRODUCTION\n           GENERAL SUPPORT SYSTEM\n                    FY 2014\n                                           Report No. 4A-CI-00-14-015\n\n\n                                           Date:                 June 6, 2014\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n                              U.S. OFFICE OF PERSONNEL MANAGEMENT\n                               -------------------------------------------------------------\n                   AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n                      CONTROLS OF THE U.S. OFFICE OF PERSONNEL\n                    MANAGEMENT\xe2\x80\x99S DEVELOPMENT TEST PRODUCTION\n                              GENERAL SUPPORT SYSTEM\n                                             FY 2014\n                                  --------------------------------\n                                    WASHINGTON, D.C.\n\n\n\n                                          Report No. 4A-CI-00-14-015\n\n                                          Date:                 June 6, 2014\n\n\n\n\n                                                                                     Michael R. Esser\n                                                                                     Assistant Inspector General\n                                                                                       for Audits\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                    Executive Summary\n\n\n                      U.S. OFFICE OF PERSONNEL MANAGEMENT\n                       -------------------------------------------------------------\n              AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n                 CONTROLS OF THE U.S. OFFICE OF PERSONNEL\n               MANAGEMENT\xe2\x80\x99S DEVELOPMENT TEST PRODUCTION\n                         GENERAL SUPPORT SYSTEM\n                                        FY 2014\n                             --------------------------------\n                               WASHINGTON, D.C.\n\n\n\n                                  Report No. 4A-CI-00-14-015\n\n                                 Date:              June 6, 2014\n\nThis final audit report discusses the results of our audit of the information technology security\ncontrols of the U.S. Office of Personnel Management\xe2\x80\x99s (OPM) Development Test Production\nGeneral Support System (DTP). Our conclusions are detailed in the \xe2\x80\x9cResults\xe2\x80\x9d section of this\nreport.\n\nSecurity Assessment and Authorization (SA&A)\nDTP does not have a current SA&A package, nor an active authorization to operate.\n\nFederal Information Processing Standards (FIPS) 199 Analysis\nA FIPS199 analysis was last performed on DTP as a part of the 2010 SA&A package that\nexpired in August 2013.\n\nSystem Security Plan (SSP)\nA SSP was last developed for DTP as a part of the 2010 SA&A that expired in August 2013.\n\nRisk Assessment\nA risk assessment was last conducted for DTP as a part of the 2010 SA&A that expired in\nAugust 2013.\n\n                                                    i\n\x0cIndependent Security Control Testing\nSecurity controls were not independently assessed for DTP within the past three years, as\nrequired by National Institute of Standards and Technology (NIST) and OPM policy.\n\nSecurity Control Continuous Monitoring\nThe owners of DTP did not submit continuous monitoring security reports in March or\nSeptember, 2013, as required by OPM policy. However, a report has been submitted in April\n2014.\n\nContingency Planning and Contingency Plan Testing\nA contingency plan was developed for DTP that is in compliance with NIST, however the\ncontingency plan for DTP has not been tested in the past year.\n\nPrivacy Impact Assessment (PIA)\nA privacy threshold analysis was conducted for DTP that determined that a PIA was not\nrequired.\n\nPlan of Action and Milestones (POA&M) Process\nThe DTP POA&M follows the format of the OPM POA&M guide, and has been routinely\nsubmitted to the OCIO for evaluation.\n\nNIST Special Publication 800-53 Revision 4 Evaluation\nWe evaluated the degree to which a subset of the IT security controls outlined in NIST SP 800-\n53 Revision 4 was implemented for DTP. We determined that one area of controls related to the\nchange management process could be improved.\n\nSystem Organization and Classification\nThe production environment of DTP resides on OPM\xe2\x80\x99s Local Area Network/Wide Area Network\n(LAN/WAN) General Support System, and is not segregated from the production applications\nhosted on LAN/WAN. Essentially there are two production environments.\n\nWhile there are clearly defined technical boundaries segregating the development and test\nenvironments from the production environment within DTP, there should only be one production\nenvironment in OPM\xe2\x80\x99s infrastructure.\n\n\n\n\n                                               ii\n\x0c                                                                     Contents\n                                                                                                                                                   Page\n\nExecutive Summary.............................................................................................................................. i\nIntroduction ..........................................................................................................................................1\nBackground...........................................................................................................................................1\nObjectives .............................................................................................................................................1\nScope and Methodology .......................................................................................................................1\nCompliance with Laws and Regulations ..............................................................................................3\nResults ..................................................................................................................................................4\n       I.         Security Assessment and Authorization ...........................................................................4\n       II.        FIPS 199 Analysis.............................................................................................................4\n       III.       System Security Plan ........................................................................................................5\n       IV.        Risk Assessment ...............................................................................................................5\n       V.         Independent Security Control Testing ..............................................................................5\n       VI.        Security Control Continuous Monitoring .........................................................................6\n       VII.       Contingency Planning and Contingency Plan Testing......................................................6\n       VIII.      Privacy Impact Assessment ..............................................................................................7\n       IX.        Plan of Action and Milestones Process .............................................................................7\n       X.         NIST SP 800-53 Revision 4 Evaluation ...........................................................................8\n       XI.        System Organization and Classification ...........................................................................9\nMajor Contributors to this Report ......................................................................................................11\n       Appendix: The Office of the Chief Information Officer\xe2\x80\x99s May 20, 2014 response to the draft\n                 audit report, issued April 15, 2014.\n\x0c                                       Introduction\nOn December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107\xe2\x80\x91347),\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency\nreporting to the Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we audited the information technology (IT)\nsecurity controls related to the Office of Personnel Management\xe2\x80\x99s (OPM) Development Test\nProduction General Support System (DTP).\n\n                                        Background\nThe DTP environment is a general support system that was designed to be a separate technical\nenvironment from OPM\xe2\x80\x99s Local Area Network / Wide Area Network (LAN/WAN) production\nenvironment. DTP is intended to host the testing and development of applications, while\nLAN/WAN is designed to hose production applications.\n\n                                         Objectives\nOur objective was to perform an evaluation of the security controls for DTP to ensure that the\nOffice of the Chief Information Officer (OCIO) has implemented IT security policies and\nprocedures in accordance with standards established by FISMA, the National Institute of\nStandards and Technology (NIST), the Federal Information System Controls Audit Manual and\nOPM\xe2\x80\x99s OCIO.\n\nThe audit objective was accomplished by reviewing the degree to which a variety of security\nprogram elements have been implemented for DTP, including:\n\xef\x82\xb7   Security Assessment and Authorization;\n\xef\x82\xb7   FIPS 199 Analysis;\n\xef\x82\xb7   System Security Plan;\n\xef\x82\xb7   Risk Assessment;\n\xef\x82\xb7   Independent Security Control Testing;\n\xef\x82\xb7   Security Control Continuous Monitoring;\n\xef\x82\xb7   Contingency Planning and Contingency Plan Testing;\n\xef\x82\xb7   Privacy Impact Assessment;\n\xef\x82\xb7   Plan of Action and Milestones Process; and\n\xef\x82\xb7   NIST Special Publication 800-53 Revision 4 Security Controls.\n\n                               Scope and Methodology\nThis performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of the OCIO,\nincluding IT security controls in place as of March 2014.\n\n                                                1\n\x0cWe considered the DTP internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objectives, we interviewed OPM personnel with security responsibilities for\nDTP. We reviewed relevant OPM IT policies and procedures, federal laws, OMB policies and\nguidance, and NIST guidance. As appropriate, we conducted compliance tests to determine the\nextent to which established controls and procedures are functioning as required.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of DTP\nare located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report. Since our audit would not necessarily disclose\nall significant matters in the internal control structure, we do not express an opinion on the DTP\nsystem of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\xef\x82\xb7   OPM Information Security and Privacy Policy Handbook;\n\xef\x82\xb7   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xef\x82\xb7   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xef\x82\xb7   The Federal Information System Controls Audit Manual;\n\xef\x82\xb7   NIST SP 800-12, An Introduction to Computer Security;\n\xef\x82\xb7   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xef\x82\xb7   NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;\n\xef\x82\xb7   NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;\n\xef\x82\xb7   NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to\n    Federal Information Systems;\n\xef\x82\xb7   NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems\n    and Organizations;\n\xef\x82\xb7   NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories;\n\xef\x82\xb7   NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and\n    Capabilities;\n\xef\x82\xb7   Federal Information Processing Standards (FIPS) Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems; and\n\xef\x82\xb7   Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\n\n                                                 2\n\x0cThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from October 2013\nthrough March 2014 in OPM\xe2\x80\x99s Washington, D.C. office. This was our first audit of the security\ncontrols surrounding DTP.\n\n                   Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether OCIO\xe2\x80\x99s management of DTP\nis consistent with applicable standards. Nothing came to our attention during this review to\nindicate that the OCIO is in violation of relevant laws and regulations.\n\n\n\n\n                                              3\n\x0c                                               Results\nI. Security Assessment and Authorization\n   DTP does not have a current Security Assessment and Authorization (SA&A) package, nor an\n   active authorization to operate.\n\n   The most recent SA&A of DTP was completed in August 2010, and expired in August 2013.\n\n   NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information\n   Systems, provides guidance to federal agencies in meeting security accreditation requirements.\n   Although the 2010 SA&A is no longer valid, it appears to have been conducted in compliance\n   with NIST requirements.\n\n   Recommendation 1\n   We recommend that the DTP environment be subject to a complete and current SA&A process.\n\n   OCIO Response:\n   \xe2\x80\x9cOCIO intends to make the DTP environment a sub-system of the LAN/WAN GSS within the\n   next four months. The LAN/WAN GSS will have a new SA&A completed at that time. Many\n   of the weaknesses identified within this OIG audit with the DTP environment will be\n   remediated as a result of that SA&A process.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the OCIO provide OPM\xe2\x80\x99s Internal\n   Oversight and Compliance (IOC) division with evidence that DTP has been migrated under the\n   LAN/WAN as a sub-system. Furthermore, the OCIO should provide IOC with an updated\n   LAN/WAN System Security Plan that includes DTP as a minor application and documents the\n   security controls that DTP inherits from the LAN/WAN.\n\nII. FIPS 199 Analysis\n   FIPS Publication 199, Standards for Security Categorization of Federal Information and\n   Information Systems, requires federal agencies to categorize all federal information and\n   information systems in order to provide appropriate levels of information security according to a\n   range of risk levels.\n\n   NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems\n   to Security Categories, provides an overview of the security objectives and impact levels\n   identified in FIPS Publication 199.\n\n   The OCIO leveraged FIPS 199 to analyze the information processed by the system and its\n   corresponding potential impacts on confidentiality, integrity, and availability. As of June 24,\n   2010 DTP is categorized with a low impact level for confidentiality and availability, and a\n   moderate impact level for integrity, resulting in an overall categorization of moderate.\n\n\n                                                    4\n\x0c    The security categorization of DTP appears to be consistent with FIPS 199 and NIST SP 800-60\n    requirements, and the OIG agrees with the categorization of moderate.\n\n    However, the most recent FIPS 199 analysis performed on DTP was part of the previous SA&A\n    package that, as mentioned in section I above, expired in August 2013.\n\nIII. System Security Plan\n    Federal agencies must implement on each information system the security controls outlined in\n    NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and\n    Organizations. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal\n    Information Systems, requires that these controls be documented in a SSP for each system, and\n    provides guidance for doing so.\n\n    The SSP for DTP contains the majority of the elements outlined in NIST SP 800-18.\n\n    However, the most recent SSP developed for DTP was part of the previous SA&A package that,\n    as mentioned in section I above, expired in August 2013.\n\nIV. Risk Assessment\n    A risk assessment is used as a tool to identify security threats, vulnerabilities, potential impacts,\n    and probability of occurrence. In addition, a risk assessment is used to evaluate the effectiveness\n    of security policies and recommend countermeasures to ensure adequate protection of\n    information technology resources.\n\n    NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments, offers a nine step\n    systematic approach to conducting a risk assessment that includes: (1) system characterization;\n    (2) threat identification; (3) vulnerability identification; (4) control analysis; (5) likelihood\n    determination; (6) impact analysis; (7) risk determination; (8) control recommendation; and (9)\n    results documentation.\n\n    A risk assessment was conducted for DTP as a part of its 2010 SA&A that addressed all major\n    elements outlined in the NIST guidance.\n\n    However, the most recent risk assessment performed on DTP was part of the previous SA&A\n    package that, as mentioned in section I above, expired in August 2013.\n\nV. Independent Security Control Testing\n    An independent security control assessment was completed for DTP in August 2010 as a part of\n    the system\xe2\x80\x99s SA&A process. The security assessment was conducted by another government\n    entity, the Bureau of Public Debt. We reviewed the documentation resulting from this test to\n    ensure that it included a review of the appropriate management, operational, and technical\n    controls required for a system with a \xe2\x80\x9cmoderate\xe2\x80\x9d security categorization according to NIST SP\n    800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and\n    Organizations.\n\n\n                                                      5\n\x0c     Independent security control testing is part of the SA&A process and should be performed at\n     least every three years. DTP was due for independent security control testing in August 2013.\n\nVI. Security Control Continuous Monitoring\n     FISMA requires that the IT security controls of each major application owned by a federal\n     agency be tested on an annual basis. Furthermore, NIST SP 800-53 Revision 4 mandates the\n     development of a security assessment plan and outlines the required inclusions.\n\n     The most recent self-assessment of security controls for DTP was conducted in August 2012.\n     All major elements outlined in the NIST guidance were addressed.\n\n     OPM\xe2\x80\x99s internal IT policies now require that the IT security controls of each major application\n     owned by a federal agency be tested on a continual basis. In the years that an independent\n     assessment is not being conducted as part of an SA&A, the system\xe2\x80\x99s owner must test a subset of\n     security controls twice per year in accordance with OPM\xe2\x80\x99s continuous monitoring methodology.\n\n     The owners of DTP did not submit continuous monitoring security reports in March or\n     September, 2013, as required by OPM policy.\n\n     Recommendation 2\n     We recommend that DTP be subject to continuous monitoring of security controls in accordance\n     with OPM policy.\n\n     OCIO Response:\n     \xe2\x80\x9cOCIO completed and submitted the Information System Continuous Monitoring Report for\n     the DTP environment on 04/16/14. This report encompassed all the moderate controls that\n     ITSP required to be tested in Q1 and Q2 of FY14.\xe2\x80\x9d\n\n     OIG Reply:\n     The evidence provided by the OCIO in response to the draft audit report indicates that the\n     FY 2014 quarter two continuous monitoring submission was in compliance with OPM\n     requirements. As part of the audit resolution process, we recommend that OCIO provide OPM\xe2\x80\x99s\n     IOC division with evidence of the next continuous monitoring submission.\n\nVII. Contingency Planning and Contingency Plan Testing\n     NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems,\n     states that effective contingency planning, execution, and testing are essential to mitigate the risk\n     of system and service unavailability. OPM\xe2\x80\x99s security policies require all major applications to\n     have viable and logical disaster recovery and contingency plans, and that these plans be annually\n     reviewed, tested, and updated.\n\n     Contingency Plan\n     The DTP contingency plan documents the functions, operations, and resources necessary to\n     restore and resume DTP operations when unexpected events or disasters occur. The DTP\n\n                                                       6\n\x0c      contingency plan follows the format suggested by NIST SP 800-34 Revision 1 and contains a\n      majority of the suggested elements.\n\n      Contingency Plan Test\n      NIST SP 800-34 Revision 1 also provides guidance for testing contingency plans and\n      documenting the results. In addition, NIST SP 800-53 Revision 4, control CP-3, requires system\n      owners to \xe2\x80\x9ctrain personnel in their contingency roles and responsibilities to the information\n      system and provide refresher training.\xe2\x80\x9d\n\n      The contingency plan for DTP has not been tested in the past year.\n\n      Recommendation 3\n      We recommend that the owners of DTP test the system\xe2\x80\x99s contingency plan annually.\n\n      OCIO Response:\n      \xe2\x80\x9cOCIO agrees that the DTP contingency plan has not been tested. OCIO is currently in the\n      process of updating and testing the LAN/WAN GSS Contingency Plan. DTP will collapse in\n      to the LAN/WAN GSS at which point the LAN/WAN contingency plan will encompass DTP.\xe2\x80\x9d\n\n      OIG Reply:\n      As part of the audit resolution process, we recommend that the OCIO provide OPM\xe2\x80\x99s IOC\n      division with evidence that the DTP contingency plan was tested as a part of the annual\n      LAN/WAN contingency plan test.\n\nVIII. Privacy Impact Assessment\n      FISMA requires agencies to perform a screening of federal information systems to determine if a\n      Privacy Impact Assessment (PIA) is required for that system. OMB Memorandum M-03-22\n      outlines the necessary components of a PIA. The purpose of the assessment is to evaluate any\n      vulnerabilities of privacy in information systems and to document any privacy issues that have\n      been identified and addressed. The OPM Privacy Impact Assessment Guide states that \xe2\x80\x9call OPM\n      IT systems must have a Privacy Threshold Analysis (PTA) which is utilized to determine if a\n      PIA is required.\xe2\x80\x9d\n\n      The OCIO completed a PTA of DTP and determined that a PIA was not required for this system.\n\n IX. Plan of Action and Milestones Process\n      A Plan of Action and Milestones (POA&M) is a tool used to assist agencies in identifying,\n      assessing, prioritizing, and monitoring the progress of corrective efforts for IT security\n      weaknesses. OPM has implemented an agency-wide POA&M process to help track known IT\n      security weaknesses associated with the agency\xe2\x80\x99s information systems.\n\n      The OIG evaluated the DTP POA&M and verified that it follows the format of OPM\xe2\x80\x99s standard\n      template, and that updates are routinely submitted to the OCIO for evaluation.\n\n\n                                                     7\n\x0c   We found no issues with the POA&M process for DTP.\n\nX. NIST SP 800-53 Revision 4 Evaluation\n   NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and\n   Organizations, provides guidance for implementing a variety of security controls for information\n   systems supporting the federal government. As part of this audit, we evaluated whether a subset\n   of these controls had been adequately implemented for DTP. These controls were evaluated by\n   interviewing individuals with DTP security responsibilities, reviewing documentation and\n   system screenshots, and viewing demonstrations of system capabilities. We determined that the\n   controls described below could be improved.\n\n   a) CM-3 Configuration Change Control & CM-5 Access Restrictions for Change\n      DTP application programmers have the technical ability to develop a change and move it into\n      production without following the appropriate change control process.\n\n      NIST SP 800-53 Revision 4 requires organizations to appropriately control changes to the\n      information system, ensuring all changes are formally approved prior to implementation and\n      that the change process is reviewed. Logical access restrictions must be defined,\n      documented, approved, and enforced for all changes to the information system. The OCIO\n      must also ensure that it \xe2\x80\x9ctests, validates, and documents changes to the information system\n      before implementing the changes on the operational system.\xe2\x80\x9d\n\n      NIST SP 800-53 Revision 4 explains that \xe2\x80\x9cany changes to the . . . system can potentially have\n      significant effects on the overall security of the system. Accordingly, only qualified and\n      authorized individuals [should be] allowed to obtain access to information system\n      components for purposes of initiating changes, including upgrades and modifications.\xe2\x80\x9d\n\n      The size of the change should not justify a diversion from the approved System Development\n      Life Cycle (SDLC). Furthermore, to ensure appropriate segregation of duties, a separate\n      business unit should be responsible for moving code between development/test and\n      production. No one individual should be able to migrate a change through the entire change\n      control environment.\n\n      Recommendation 4\n      We recommend that the OCIO make the appropriate system modifications to ensure\n      appropriate segregation of duties are enforced within DTP.\n\n      OCIO Response:\n      \xe2\x80\x9cOCIO agrees that the DTP system segregation of duties is not adequate. The LAN/WAN\n      GSS is in the process of reorganizing roles and functions within the environment to ensure\n      segregation of duties. The LAN/WAN GSS is in the process of instituting technical\n      controls between environments which would ensure that changes are not made without\n      following the correct protocols. DTP will be able to leverage these changes as soon as it is\n      converted in to a subsystem of the LAN/WAN GSS.\xe2\x80\x9d\n\n\n                                                  8\n\x0c        OIG Reply:\n        As part of the audit resolution process, we recommend that the OCIO provide OPM\xe2\x80\x99s IOC\n        division with evidence that roles and responsibilities are appropriately adjusted with the\n        reorganization of the environment to ensure proper segregation of duties.\n\n        Recommendation 5\n        We recommend that the OCIO make the appropriate organizational modification to ensure a\n        business unit independent of the application developers migrates changes into production.\n        That same business unit should be responsible for validating that all elements of the SDLC\n        were followed, changes were appropriately tested, and all documentation is valid and\n        approved prior to migrating changes into production.\n\n        OCIO Response:\n        \xe2\x80\x9cOCIO agrees that there are weaknesses within the SDLC process of the DTP\n        environment. The LAN/WAN currently utilizes a change control board in order to\n        facilitate any changes to the environment. The LAN/WAN plans to also put more stringent\n        measures in place to ensure that the SDLC process is followed, changes are tested, and all\n        documentation is valid prior to migration to the production environment. DTP will be able\n        to leverage these changes as soon as it is converted in to a subsystem of the LAN/WAN\n        GSS.\xe2\x80\x9d\n\n        OIG Reply:\n        As part of the audit resolution process, we recommend that the OCIO provide OPM\xe2\x80\x99s IOC\n        division with evidence that changes for DTP follow the approved SDLC with regard to both\n        procedure and documentation, and that the individuals with the technical capability to\n        migrate changes to production are independent of the developers, testers, and business users.\n\n    b) CM-6 Configuration Settings\n        We conducted vulnerability scans of the databases and servers supporting DTP using\n        AppDetective Pro and Nessus scanning tools. Although the technical details of these settings\n        will not be included in this report, the OCIO has been provided with this information.\n\n        The vulnerability scans revealed that both the database and server generally contain settings\n        configured in a manner compliant with OPM\xe2\x80\x99s configuration policies.\n\nXI. System Organization and Classification\n    a) Multiple Production Environments\n        DTP is a general support system intended to be used for the development and testing of new\n        and/or modified applications hosted in the LAN/WAN production environment. Currently,\n        DTP is comprised of a development, test, and production environment. However, the\n        production environment of DTP resides on the LAN/WAN and is not segregated from the\n        production applications hosted on LAN/WAN. Essentially there are two production\n        environments.\n\n                                                    9\n\x0c   While there are clearly defined technical boundaries segregating the development and test\n   environments from the production environment within DTP, there should only be one\n   production environment in OPM\xe2\x80\x99s infrastructure.\n\n   Recommendation 6\n   We recommend that the OCIO make the appropriate system modification to ensure that there\n   is only one production environment in OPM\xe2\x80\x99s technical infrastructure.\n\n   OCIO Response:\n   \xe2\x80\x9cOCIO agrees that there should only be one production environment. OCIO intends to\n   convert DTP in to a subsystem of the LAN/WAN GSS within the next four months. At that\n   point there will only be one production environment.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the OCIO provide OPM\xe2\x80\x99s IOC\n   division with evidence that the conversion of DTP to a subsystem of the LAN/WAN GSS\n   results in only one production environment.\n\nb) Reclassification of DTP\n   DTP is currently classified as a \xe2\x80\x9cmajor application\xe2\x80\x9d and is included on OPM\xe2\x80\x99s master\n   inventory of major systems. During the course of the audit we were informed that it is the\n   intention of the OCIO to reclassify the development and test elements of DTP as subsystems\n   under the LAN/WAN, and to consolidate the production elements of DTP into the\n   LAN/WAN production environment.\n\n   OPM\xe2\x80\x99s LAN/WAN general support system (also owned and operated by the OCIO) currently\n   supports a variety of minor applications. Considering the OCIO currently provides technical\n   support for DTP and the system already resides within the boundaries of the LAN/WAN, we\n   believe this would be an appropriate way to address our audit concerns.\n\n   As part of the reclassification process, the OCIO should update the LAN/WAN SSP to\n   include DTP as a minor application and to document the security controls that DTP inherits\n   from the general support system.\n\n   Although reclassifying DTP as a minor application would alleviate some of the SA&A\n   related requirements applicable to major systems, it does not absolve the OCIO from\n   ensuring the remediation of the security weaknesses identified in prior security assessments\n   and this audit report.\n\n\n\n\n                                              10\n\x0c                       Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\n\xef\x82\xb7                    , Group Chief\n\xef\x82\xb7               , Lead IT Auditor-in-Charge\n\xef\x82\xb7                   , IT Auditor\n\n\n\n\n                                              11\n\x0c                                         APPENDIX \n\n\n\n\n\n                         United States Office of Personnel Management\n                                                              U.S. Office of Personnel Management\n                                                                                  1900 E Street, NW\n                                                                             Washington D.C. 20415\n\n\n\n\nMEMORANDUM FOR:             -\n                                Lead IT Auditor\n\nFROM:\n                                Designated Security Officer\n\nSUBJECT:                        DTP Response to OIG Audit\n\n\nOIG Recommendation 1 \n\nWe recommend that the DTP envirorunent be subject to a complete and current SA&A process. \n\n\nOCIO Response:\n\nOCIO intends to make the DTP environment a sub-system of the LAN/WAN GSS within the \n\nnext four months. The LAN/WAN GSS will have a new SA&A completed at that time. Many \n\nof the weaknesses identified within this OIG audit with the DTP environment will be remediated \n\nas a result of that SA&A process. \n\n\nOIG Recommendation 2 \n\nWe recommend that DTP be subject to continuous monitoring in accordance with OPM policy. \n\n\nOCIO Response:\n\nOCIO completed and submitted the Information System Continuous Monitoring Report for the \n\nDTP environment on 04/ 16/ 14. This repmt encompassed all the moderate controls that ITSP \n\nrequired to be tested in Ql and Q2 ofFY14. \n\n\nRecommendation 3 \n\nWe recommend that the owners ofDTP test the system's contingency plan. \n\n\nOCIO Response:\n\nOCIO agrees that the DTP contingency plan has not been tested. OCIO is currently in the\nprocess of updating and testing the LAN/WAN GSS Contingency Plan. DTP will collapse in to\nthe LAN/WAN GSS at which point the LAN/ WAN contingency plan will encompass DTP.\n\x0cRecommendation 4\nWe recommend that the OCIO make the appropriate system modifications to ensure\nappropriate segregation ofduties are enforced within DTP.\n\nOCIO Response:\n\nOCIO agrees that the DTP system segregation of duties is not adequate. The LAN/WAN GSS is\nin the process of reorganizing roles and functions within the environment to ensure segregation\nofduties. The LAN/WAN GSS is in the process of instituting technical controls between\nenvironments which would ensure that changes are not made without following the correct\nprotocols. DTP will be able to leverage these changes as soon as it is converted in to a\nsubsystem of the LAN/WAN GSS.\n\nRecommendation 5\nWe recommend that the OCIO make the appropriate organizational modification to ensure a\nbusiness unit independent ofthe change process migrates changes into production. That\nsame business writ should be responsible for validating that all elements of the SDLC were\nfollowed, changes were appropriately tested, all documentation is valid and approved prior to\nmigrating changes into production.\n\nOCIO Response:\n\nOCIO agrees that there are weaknesses within the SDLC process of the DTP environment. The\nLAN/WAN ctUTently utilizes a change control board in order to facilitate any changes to the\nenvironment. The LAN/WAN plans to also put more stringent measures in place to ensure that\nthe SDLC process is followed, changes are tested, and all documentation is valid prior to\nmigration to the production environment. DTP will be able to leverage these changes as soon as\nit is converted in to a subsystem of the LAN/WAN GSS.\n\n\n\nRecommendation 6\nWe recommend that the OCIO make the appropriate system modification to ensure that there\nis only one production environment.\n\nOCIO Response:\n\n OCIO agrees that there should only be one production environment. OCIO intends to convert\n DTP in to a subsystem of the LAN/WAN GSS within the next four months. At that point there\n\xc2\xb7will only be one production environment.\n\n\n\n                                                                                S- Jo-          Jt\\\n                                                                              Date\n\x0c"